gh0strat | 8e599267e624e8865dc1377d533cbbed11a53d18cb3de3946e62e5887b06b641

Analysis

max time kernel
148s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wpsupdate.msi
Size

26.2MB
MD5

6172dbd24d1ccc413437ee5d9f38a750
SHA1

4c24165e5d375ecaf5b5c49d831e48f70833bcfa
SHA256

8e599267e624e8865dc1377d533cbbed11a53d18cb3de3946e62e5887b06b641
SHA512

362432449d23d40fa0d2ccf27e608e063b083d23da9fa1c3ad10cf3772763421859fa91bf2c3bbd257f1a8e8ef723930dd758d009ff0cfbaf4be96316dd0fc0d
SSDEEP

786432:HURQ1YYrOtsAdzpQof4c01tYhGYrmeGY3TT5:H2sRzeI8iCT5

Score

10^/10

gh0strat purplefox bootkit discovery persistence privilege_escalation rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 2 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/4500-74-0x000000002B760000-0x000000002B91B000-memory.dmp	purplefox_rootkit
behavioral2/memory/4500-76-0x000000002B760000-0x000000002B91B000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/4500-74-0x000000002B760000-0x000000002B91B000-memory.dmp	family_gh0strat
behavioral2/memory/4500-76-0x000000002B760000-0x000000002B91B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	TpuaDVwAtO28.exe
File opened (read-only)	\??\Z:	TpuaDVwAtO28.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	TpuaDVwAtO28.exe
File opened (read-only)	\??\R:	TpuaDVwAtO28.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	TpuaDVwAtO28.exe
File opened (read-only)	\??\M:	TpuaDVwAtO28.exe
File opened (read-only)	\??\Q:	TpuaDVwAtO28.exe
File opened (read-only)	\??\V:	TpuaDVwAtO28.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	TpuaDVwAtO28.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	TpuaDVwAtO28.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	TpuaDVwAtO28.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	TpuaDVwAtO28.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	TpuaDVwAtO28.exe
File opened (read-only)	\??\J:	TpuaDVwAtO28.exe
File opened (read-only)	\??\T:	TpuaDVwAtO28.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	TpuaDVwAtO28.exe
File opened (read-only)	\??\Y:	TpuaDVwAtO28.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	TpuaDVwAtO28.exe
File opened (read-only)	\??\X:	TpuaDVwAtO28.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	TpuaDVwAtO28.exe
File opened (read-only)	\??\U:	TpuaDVwAtO28.exe
File opened (read-only)	\??\X:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	wpsupdate.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\GuidePortalRapid\Aspose.Pdf.dll	msiexec.exe
File opened for modification	C:\Program Files\GuidePortalRapid\TpuaDVwAtO28.exe	FFGLWmUerQTM.exe
File created	C:\Program Files\GuidePortalRapid\TpuaDVwAtO28.exe	FFGLWmUerQTM.exe
File opened for modification	C:\Program Files\GuidePortalRapid	TpuaDVwAtO28.exe
File created	C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.xml	FFGLWmUerQTM.exe
File created	C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.exe	FFGLWmUerQTM.exe
File opened for modification	C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.exe	FFGLWmUerQTM.exe
File opened for modification	C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.wrapper.log	tTKiMHhNtqSk.exe
File opened for modification	C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.wrapper.log	tTKiMHhNtqSk.exe
File opened for modification	C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.wrapper.log	tTKiMHhNtqSk.exe
File created	C:\Program Files\GuidePortalRapid\FFGLWmUerQTM.exe	msiexec.exe
File created	C:\Program Files\GuidePortalRapid\wLzlKRWUCYQcfFYfQuoA	msiexec.exe
File created	C:\Program Files\GuidePortalRapid\wpsupdate.exe	msiexec.exe
File opened for modification	C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.xml	FFGLWmUerQTM.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{23F1BC36-6B08-40DD-A32A-E7BA31F7379D}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICFC3.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cecb.msi	msiexec.exe
File created	C:\Windows\Installer\e57cec9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cec9.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Executes dropped EXE 8 IoCs

pid	Process
4980	FFGLWmUerQTM.exe
4584	TpuaDVwAtO28.exe
4920	wpsupdate.exe
4696	tTKiMHhNtqSk.exe
4708	tTKiMHhNtqSk.exe
2876	tTKiMHhNtqSk.exe
3428	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3216	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FFGLWmUerQTM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TpuaDVwAtO28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TpuaDVwAtO28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TpuaDVwAtO28.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b58935fac5ebb7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b58935fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b58935fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db58935fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b58935fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TpuaDVwAtO28.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TpuaDVwAtO28.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoLastHardInfo	wpsupdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0	wpsupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoCurHardInfo = "29a56b8a14940c3acb7a4a6443907c56\|77dc1d9a9e2694fdf777c34f21cb01e9"	wpsupdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	wpsupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	TpuaDVwAtO28.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office	wpsupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3_C = "4503c3c9913b1b2bbb9b8ae31dd06f56"	wpsupdate.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD = "4503c3c9913b1b2bbb9b8ae31dd06f56"	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoHDModifiedType = "hdidRecalByOldHdidFromRegIsEmpty\|2024-9-20"	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	TpuaDVwAtO28.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo	wpsupdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	TpuaDVwAtO28.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHDt = "20"	wpsupdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3t = "20"	wpsupdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3Verify_C = 32003000320034002d0039002d00320030007c00570044004300200032002e0035002b00320033003200310033003800380030003400310036003500200020002000200020002000200020007c00430036002d00310035002d00330037002d00450043002d00380042002d00340034000000	wpsupdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wpsupdate.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9255E7775B746E544994284282C6D9E4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9255E7775B746E544994284282C6D9E4\63CB1F3280B6DD043AA27EAB137F73D9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\PackageCode = "32B8F39D4469AE64A860107226DE41EF"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\ProductName = "GuidePortalRapid"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\SourceList\PackageName = "wpsupdate.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\63CB1F3280B6DD043AA27EAB137F73D9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\63CB1F3280B6DD043AA27EAB137F73D9\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\Version = "33751044"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63CB1F3280B6DD043AA27EAB137F73D9\Assignment = "1"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
592	msiexec.exe
592	msiexec.exe
4920	wpsupdate.exe
4920	wpsupdate.exe
4920	wpsupdate.exe
4920	wpsupdate.exe
4584	TpuaDVwAtO28.exe
4584	TpuaDVwAtO28.exe
2876	tTKiMHhNtqSk.exe
2876	tTKiMHhNtqSk.exe
3428	TpuaDVwAtO28.exe
3428	TpuaDVwAtO28.exe
3428	TpuaDVwAtO28.exe
3428	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe
4500	TpuaDVwAtO28.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3216	msiexec.exe
Token: SeSecurityPrivilege	592	msiexec.exe
Token: SeCreateTokenPrivilege	3216	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3216	msiexec.exe
Token: SeLockMemoryPrivilege	3216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3216	msiexec.exe
Token: SeMachineAccountPrivilege	3216	msiexec.exe
Token: SeTcbPrivilege	3216	msiexec.exe
Token: SeSecurityPrivilege	3216	msiexec.exe
Token: SeTakeOwnershipPrivilege	3216	msiexec.exe
Token: SeLoadDriverPrivilege	3216	msiexec.exe
Token: SeSystemProfilePrivilege	3216	msiexec.exe
Token: SeSystemtimePrivilege	3216	msiexec.exe
Token: SeProfSingleProcessPrivilege	3216	msiexec.exe
Token: SeIncBasePriorityPrivilege	3216	msiexec.exe
Token: SeCreatePagefilePrivilege	3216	msiexec.exe
Token: SeCreatePermanentPrivilege	3216	msiexec.exe
Token: SeBackupPrivilege	3216	msiexec.exe
Token: SeRestorePrivilege	3216	msiexec.exe
Token: SeShutdownPrivilege	3216	msiexec.exe
Token: SeDebugPrivilege	3216	msiexec.exe
Token: SeAuditPrivilege	3216	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3216	msiexec.exe
Token: SeChangeNotifyPrivilege	3216	msiexec.exe
Token: SeRemoteShutdownPrivilege	3216	msiexec.exe
Token: SeUndockPrivilege	3216	msiexec.exe
Token: SeSyncAgentPrivilege	3216	msiexec.exe
Token: SeEnableDelegationPrivilege	3216	msiexec.exe
Token: SeManageVolumePrivilege	3216	msiexec.exe
Token: SeImpersonatePrivilege	3216	msiexec.exe
Token: SeCreateGlobalPrivilege	3216	msiexec.exe
Token: SeBackupPrivilege	4108	vssvc.exe
Token: SeRestorePrivilege	4108	vssvc.exe
Token: SeAuditPrivilege	4108	vssvc.exe
Token: SeBackupPrivilege	592	msiexec.exe
Token: SeRestorePrivilege	592	msiexec.exe
Token: SeRestorePrivilege	592	msiexec.exe
Token: SeTakeOwnershipPrivilege	592	msiexec.exe
Token: SeRestorePrivilege	592	msiexec.exe
Token: SeTakeOwnershipPrivilege	592	msiexec.exe
Token: SeBackupPrivilege	4876	srtasks.exe
Token: SeRestorePrivilege	4876	srtasks.exe
Token: SeSecurityPrivilege	4876	srtasks.exe
Token: SeTakeOwnershipPrivilege	4876	srtasks.exe
Token: SeBackupPrivilege	4876	srtasks.exe
Token: SeRestorePrivilege	4876	srtasks.exe
Token: SeSecurityPrivilege	4876	srtasks.exe
Token: SeTakeOwnershipPrivilege	4876	srtasks.exe
Token: SeRestorePrivilege	592	msiexec.exe
Token: SeTakeOwnershipPrivilege	592	msiexec.exe
Token: SeRestorePrivilege	592	msiexec.exe
Token: SeTakeOwnershipPrivilege	592	msiexec.exe
Token: SeRestorePrivilege	592	msiexec.exe
Token: SeTakeOwnershipPrivilege	592	msiexec.exe
Token: SeRestorePrivilege	592	msiexec.exe
Token: SeTakeOwnershipPrivilege	592	msiexec.exe
Token: SeRestorePrivilege	592	msiexec.exe
Token: SeTakeOwnershipPrivilege	592	msiexec.exe
Token: SeRestorePrivilege	592	msiexec.exe
Token: SeTakeOwnershipPrivilege	592	msiexec.exe
Token: SeRestorePrivilege	592	msiexec.exe
Token: SeTakeOwnershipPrivilege	592	msiexec.exe
Token: SeRestorePrivilege	592	msiexec.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3216	msiexec.exe
3216	msiexec.exe
4920	wpsupdate.exe
4920	wpsupdate.exe
4920	wpsupdate.exe
4920	wpsupdate.exe
4920	wpsupdate.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4920	wpsupdate.exe
4920	wpsupdate.exe
4920	wpsupdate.exe
4920	wpsupdate.exe
4920	wpsupdate.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 4876	592	msiexec.exe	94
PID 592 wrote to memory of 4876	592	msiexec.exe	94
PID 592 wrote to memory of 2488	592	msiexec.exe	96
PID 592 wrote to memory of 2488	592	msiexec.exe	96
PID 592 wrote to memory of 2488	592	msiexec.exe	96
PID 2488 wrote to memory of 4980	2488	MsiExec.exe	97
PID 2488 wrote to memory of 4980	2488	MsiExec.exe	97
PID 2488 wrote to memory of 4980	2488	MsiExec.exe	97
PID 2488 wrote to memory of 4584	2488	MsiExec.exe	99
PID 2488 wrote to memory of 4584	2488	MsiExec.exe	99
PID 2488 wrote to memory of 4584	2488	MsiExec.exe	99
PID 2488 wrote to memory of 4920	2488	MsiExec.exe	100
PID 2488 wrote to memory of 4920	2488	MsiExec.exe	100
PID 2488 wrote to memory of 4920	2488	MsiExec.exe	100
PID 2876 wrote to memory of 3428	2876	tTKiMHhNtqSk.exe	106
PID 2876 wrote to memory of 3428	2876	tTKiMHhNtqSk.exe	106
PID 2876 wrote to memory of 3428	2876	tTKiMHhNtqSk.exe	106
PID 3428 wrote to memory of 4500	3428	TpuaDVwAtO28.exe	107
PID 3428 wrote to memory of 4500	3428	TpuaDVwAtO28.exe	107
PID 3428 wrote to memory of 4500	3428	TpuaDVwAtO28.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wpsupdate.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3216

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FB49F41EC8C6223095B1044ACD591F85 E Global\MSI0000
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Program Files\GuidePortalRapid\FFGLWmUerQTM.exe
    "C:\Program Files\GuidePortalRapid\FFGLWmUerQTM.exe" x "C:\Program Files\GuidePortalRapid\wLzlKRWUCYQcfFYfQuoA" -o"C:\Program Files\GuidePortalRapid\" -pzKdAioNbrgsvnIwrocNm -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4980
- - C:\Program Files\GuidePortalRapid\TpuaDVwAtO28.exe
    "C:\Program Files\GuidePortalRapid\TpuaDVwAtO28.exe" -number 123 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4584
- - C:\Program Files\GuidePortalRapid\wpsupdate.exe
    "C:\Program Files\GuidePortalRapid\wpsupdate.exe"
    3⤵
    - Writes to the Master Boot Record (MBR)
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.exe
"C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.exe" install
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:4696

C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.exe
"C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:4708

C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.exe
"C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Program Files\GuidePortalRapid\TpuaDVwAtO28.exe
  "C:\Program Files\GuidePortalRapid\TpuaDVwAtO28.exe" -number 264 -file file3 -mode mode3 -flag flag3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Program Files\GuidePortalRapid\TpuaDVwAtO28.exe
    "C:\Program Files\GuidePortalRapid\TpuaDVwAtO28.exe" -number 362 -file file3 -mode mode3 -flag flag3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ceca.rbs

Filesize
7KB

MD5
ebdbf34a76f53822b620300de34289c6

SHA1
4b88c1e0c1edd755bcddc9a02eb1c62e999403f8

SHA256
973168e73b6a2911276d3cc84a948388d0d5d452acc1ba72cd21253cd80d37a2

SHA512
d5d4f4283b3bfa3030f0936406130ced708126eff9fa19306afe5dc6d261463a34ea2755721eb939431d0f9465fd9342f8407e260956e543063452b9ec2144f8

Download Submit
C:\Program Files\GuidePortalRapid\FFGLWmUerQTM.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Program Files\GuidePortalRapid\TpuaDVwAtO28.exe

Filesize
3.1MB

MD5
cab83f4897ba305ccf1b3811d0d46b46

SHA1
f9b0a859ccfd545ca4794d2e37f0fe92e7469c88

SHA256
45265ec03d03272fbda8eca896bdc2f72f8ac0ab862d41f7a97cd823525c0a9c

SHA512
e018957a52075c203d48a59b2e049ed0d6980fefe467bd1b49bdd2a9b7aa5efb2d0d84a2b9e24f9b3ce680d424da137a2a7c3bc14f060960fba4cfbd900431ac

Download Submit
C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.wrapper.log

Filesize
270B

MD5
86954539197e37d839c4bf6ee5f14eee

SHA1
64a0026808e4c514732134d633fa1f5ccd61a5e3

SHA256
e658c18d1775c3b73ea0a9c38be454606b43ea37844d9a298a11fd9a6275a809

SHA512
aa95d71742efd8872731b02b12ca7c8420ee501416ac1f47d36ad75984ac9481d8efe86b13db796344350f78f2c645f256c2938b78041e0e45b66d925faf4b06

Download Submit
C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.wrapper.log

Filesize
428B

MD5
3e2824bf0f8d848a1c8f4b31550d0f60

SHA1
fbdbd7db6dce217b9ec5c56a34ef96f3c50e2df6

SHA256
ca047f0378bef9bd597f55571a455b614d52b6b5bf39c2a1afab804f908c37a9

SHA512
e7e703bc694ae549b51f3b8abdafce138397a9dd321a03d48e8f5611152f4283a411414f308980f7412431268d4e8c89579a4fd977909a4ffb39b3a705fff1f5

Download Submit
C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.wrapper.log

Filesize
596B

MD5
0369ec65c4bd5583e2042f2ea646373e

SHA1
67ea06471d09150351dd6dd6136a021a8ead275f

SHA256
7d2bc7edee79039b7bb9ae26e663e61e1558d50ed8f2c127b4581d3255b81a7e

SHA512
f1f5b1a31bdac022917f521ac159056b2e6e5b68cfca7fbb7e38e1cae05594d1e68132dd2f064c923c463bd61e8e2b4a45a931bb19cfe874e90371f8117279f1

Download Submit
C:\Program Files\GuidePortalRapid\tTKiMHhNtqSk.xml

Filesize
438B

MD5
86de53b90829d5a005483f28e965d95a

SHA1
509de49e32ecf9a9dbccca19ba166dd8207079c3

SHA256
6a06a89acd0447279a72a75489294530c1634cff9287b056ee23993b5fcbc86d

SHA512
446a5caf6c3ee30ae037622af8d3be24f3b162f133ea84b8f3e2ea18d89479a9d049ac6fb65825af011e1b99e2de8bea49fc2186554ccda987138f3871f1b0f9

Download Submit
C:\Program Files\GuidePortalRapid\wLzlKRWUCYQcfFYfQuoA

Filesize
1.9MB

MD5
45dcc34b4184b6b0900686a5b1337e7d

SHA1
fcc2985d00fe937abca356d114ecf050a8853aed

SHA256
83cda810e9e4ae8bc95bd820e27dc26a86ef38f388164ba0d807bdffc4880346

SHA512
527eabefecf23c0a6e4bee2b52cb3dfaa4a7ff36c99808cf82e99e691c3a4c5b1f905fb0c0edbebe9e241888db37f73861a7ad798f8667202eb99d2e6a66777d

Download Submit
C:\Program Files\GuidePortalRapid\wpsupdate.exe

Filesize
6.0MB

MD5
57dadd6a929f64c2b1efe2d52c1c4985

SHA1
962cb227f81f885f23826c3e040aa9dbc97659cf

SHA256
996b5d59cce7955b4374bd00d83c422d3a1d9ffebba59c66074c37ab28cfaeb5

SHA512
3f64c35e72698ea6a7e708a4367277f3ab62c27f0652e0c55bab6e02239ee37c4f0a21503c0688301fb77bbf8e59e3c5c8aa2df8d62a4ab8a9b9cdf6f0a775cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\tTKiMHhNtqSk.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
C:\Windows\Installer\e57cec9.msi

Filesize
26.2MB

MD5
6172dbd24d1ccc413437ee5d9f38a750

SHA1
4c24165e5d375ecaf5b5c49d831e48f70833bcfa

SHA256
8e599267e624e8865dc1377d533cbbed11a53d18cb3de3946e62e5887b06b641

SHA512
362432449d23d40fa0d2ccf27e608e063b083d23da9fa1c3ad10cf3772763421859fa91bf2c3bbd257f1a8e8ef723930dd758d009ff0cfbaf4be96316dd0fc0d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
7581109c71116fda40eb914cce8e0296

SHA1
aea122f42c8da2833cdaac641e9223a57d4dc3af

SHA256
48c7175dd481f71301536356a537755340c3585ecc88e8057e926f603930f36b

SHA512
4eb81202c15100d370d55e1a508da58f4dce55a537b1dcde7e8945daca97342c62b4f695f9c35800c20abcba802adea3d11531bd9c34ab5da42815d123d4901f

Download Submit
\??\Volume{fa3589b5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5a102afb-5d3a-4294-bc25-bf23d3c2afad}_OnDiskSnapshotProp

Filesize
6KB

MD5
64c3164416e37f03d30e5234e17037e6

SHA1
760f1c53128fc9b54992114ed75eb581953c05bc

SHA256
b488c3d280b3c0193ca0051bcdfb9acbf5df107b176aadc049c06c13b6873c0d

SHA512
c0545bbe671936482eff45b89a8b586275aead518404dbbba06ddae9e210edf5174b1b553ebc72205ceceb639e0901727f4db98b7bc22219c96ef74343190326

Download Submit
memory/4500-74-0x000000002B760000-0x000000002B91B000-memory.dmp

Filesize
1.7MB

Download
memory/4500-76-0x000000002B760000-0x000000002B91B000-memory.dmp

Filesize
1.7MB

Download
memory/4584-28-0x0000000009BD0000-0x0000000009BFA000-memory.dmp

Filesize
168KB

Download
memory/4696-46-0x00000000009C0000-0x0000000000A96000-memory.dmp

Filesize
856KB

Download